春季安全/休眠：即使他们是正确的，凭据错误？ [英] Spring security/hibernate: Bad credentials even if they're right?

问题描述

嘿，我的基于springsecurity的登录有点混乱

我不断收到错误信息bad credentials

这是我的用户表：

！[Usertable] [1]

这里是我的applicationContext数据源：

 <！ -  database driver / location  - > 
< bean id =dataSourceclass =org.springframework.jdbc.datasource.DriverManagerDataSource> 
< property name =driverClassNamevalue =com.mysql.jdbc.Driver/> 
< property name =urlvalue =jdbc：mysql：// localhost：3306 / ams/> 
< property name =usernamevalue =root/> 
< property name =passwordvalue =root/> 
< / bean> 
  

和我的securityContext：

 <？xml version =1.0encoding =UTF-8？> 
< beans xmlns =http://www.springframework.org/schema/beans
 xmlns：xsi =http://www.w3.org/2001/XMLSchema-instance
 xmlns：context =http://www.springframework.org/schema/context
 xmlns：security =http://www.springframework.org/schema/security
 xmlns ：tx =http://www.springframework.org/schema/tx
 xsi：schemaLocation =http://www.springframework.org/schema/beans 
 http：// www。 springframework.org/schema/beans/spring-beans-3.1.xsd 
 http://www.springframework.org/schema/security 
 http://www.springframework.org/schema/security/弹簧安全3.0.xsd> 
 
<！ - < security：http auto-config =trueaccess-decision-manager-ref =accessDecisionManager> - > 
< security：http auto-config =true> 
< security：intercept-url pattern =/ login / login.doaccess =IS_AUTHENTICATED_ANONYMOUSLY/> 
< security：intercept-url pattern =/ login / doLogin.doaccess =IS_AUTHENTICATED_ANONYMOUSLY/> 
< security：intercept-url pattern =/ lib / **access =IS_AUTHENTICATED_ANONYMOUSLY/> 
< security：intercept-url pattern =/ css / **access =IS_AUTHENTICATED_ANONYMOUSLY/> 
< security：intercept-url pattern =/ images / **access =IS_AUTHENTICATED_ANONYMOUSLY/> 
< security：intercept-url pattern =/ resources / **access =IS_AUTHENTICATED_ANONYMOUSLY/> 
< security：intercept-url pattern =/ **access =IS_AUTHENTICATED_REMEMBERED/> 
< security：form-login login-page =/ login / login.doauthentication-failure-url =/ login / login.do？login_error = truedefault-target-url =/ test /showTest.do\"/> 
< security：logout logout-success-url =/ login / login.doinvalidate-session =true/> 
< security：remember-me key =rememberMe/> 
< / security：http> 
 
 
< security：authentication-manager> 
< security：authentication-provider> 
< security：jdbc-user-service data-source-ref =dataSource
 users-by-username-query =选择USERNAME作为用户名，PASSWORD作为密码，DELETED从ams删除。 USERNAME =？的用户？ 
 authority-by-username-query =
选择不同的user.USERNAME作为用户名，permission.NAME作为权限
来自scu.user，scu.user_role，scu.role，scu.role_permission ，scu.permission 
 where user.ID = user_role.USER_ID AND user_role.ROLE_ID = role_permission.ROLE_ID AND role_permission.PERMISSION_ID = permission.ID AND user.USERNAME =？/> 
<！ -  security：password-encoder ref =passwordEncoder/> - > 
< / security：authentication-provider> 
< / security：authentication-manager> 
 
< bean id =passwordEncoder
 class =org.springframework.security.authentication.encoding.ShaPasswordEncoder> 
< constructor-arg value =256/> 
< / bean> 
< / beans> 
  

当我尝试登录时：admin和init01

它给了我错误的证书错误... =（

任何建议都会被赞赏!!!

authentication-provider 中的密码编码器引用是注释掉如果你使用散列密码，你需要一个密码编码器（你应该是这样）。同时检查这个答案，尤其是关于编写测试以确保您使用的密码编码器与您存储在数据库中的内容相匹配的第2点。

您可能还想检查这个使用bcrypt的答案作为一个更安全的替代普通SHA哈希。

Hey I am having a bit of a mess with my springsecurity based login

I'm keep getting the error "bad credentials"

Here's my user table:

![Usertable][1]

Here's my dataSource from the applicationContext:

<!-- database driver/location -->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <property name="driverClassName" value="com.mysql.jdbc.Driver" />
    <property name="url" value="jdbc:mysql://localhost:3306/ams" />
    <property name="username" value="root" />
    <property name="password" value="root" />
</bean>

and my securityContext:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
              http://www.springframework.org/schema/security 
              http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- <security:http auto-config="true" access-decision-manager-ref="accessDecisionManager"> -->
    <security:http auto-config="true">
        <security:intercept-url pattern="/login/login.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/login/doLogin.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/lib/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <security:form-login login-page="/login/login.do" authentication-failure-url="/login/login.do?login_error=true" default-target-url="/test/showTest.do"/>
        <security:logout logout-success-url="/login/login.do" invalidate-session="true" />
        <security:remember-me key="rememberMe"/>
    </security:http>    


    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource" 
            users-by-username-query="select USERNAME as username, PASSWORD as password, DELETED as deleted from ams.user where USERNAME=?"
            authorities-by-username-query="
                select distinct user.USERNAME as username, permission.NAME as authority 
            from scu.user, scu.user_role, scu.role, scu.role_permission, scu.permission
            where user.ID=user_role.USER_ID AND user_role.ROLE_ID=role_permission.ROLE_ID AND role_permission.PERMISSION_ID=permission.ID AND user.USERNAME=?"/>
            <!-- security:password-encoder ref="passwordEncoder" /> -->
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <constructor-arg value="256" />
    </bean>
</beans>

When i try to login with: admin and init01

it gives me the error bad credentials... =(

ANY suggestions are appreciated!!!

解决方案

The password-encoder reference in your authentication-provider is commented out. You need a password encoder if you are using hashed passwords (as you should be). Also check this answer, particularly point 2 about writing a test to make sure the password encoder you are using matches what you have stored in the database.

You might also want to check this answer on using bcrypt as a more secure alternative to plain SHA hashes.

这篇关于春季安全/休眠：即使他们是正确的，凭据错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！